1. Field of the Invention
The present invention relates to a method (and system) for protecting a computer system against the manipulation of data stored in a data storage arrangement of the microcomputer system. In particular, the present invention describes a method (and system) for monitoring accesses to a data storage system and detecting an intrusion or any other intentional or unintentional unwanted modification to persistent data stored in the storage system. Furthermore, the present invention relates to a method (and system) for recovering data if an unwanted modification is detected.
2. Description of the Related Art
Typically, intrusion detection methods and systems are used to protect data stored in a computer from unwanted modifications, which compromise the computer system. Unwanted modifications include, for example, intentional or unintentional modifications to the stored data, as well as intrusions.
Conventional systems and methods have been developed for detecting when someone has compromised a computer system. Conventional intrusion detection methods (and systems) include network-based intrusion detection and host based intrusion detection. Network-based methods detect intrusions in the networking systems, and include programs that search for suspicious activity in a network by monitoring the traffic on a network. Host-based methods, on the other hand, include software that monitor the activity of a host system and detect an intrusion on a particular machine (e.g., local memories, hard discs, etc.). While these approaches can be effective, they can be easily compromised in many ways. Once the host system is compromised, intrusions may go unnoticed and permanent damage can be done to the system and the data it contains.
One of the components of a computer system which is less likely to be compromised is the storage system. Since these systems are exposed to the outside world through a narrow applications programming interface (API) and their architecture is not as well known to the general public as that of host systems, storage systems provide a good place to provide protection against intrusion. Storage systems detect changes to persistent data and therefore can detect several types of intrusions, especially those which persist across boots.
Storage systems are particularly suited for detecting intrusions because they interface to the “outside world” in a limited way, for example through the small computer systems interface (SCSI) command set which is a standard defined for connecting peripheral devices such as CD-ROM drives to computers and are not as easily compromised themselves.
Intrusion detection techniques can be deployed in various storage systems. For example, intrusions can be detected at block storage level and in storage area network (SAN) devices, such as the SAN volume controller (SVC) and Enterprise Storage System (ESS).
There are several important advantages to using storage-based intrusion detection systems. As mentioned above, storage devices are not readily accessible. It is easy to break into a CPU through a network. For example, in an Enterprise Storage System using a SAN, multiple client machines/servers are connected to a single storage system. The servers/machines can be easily compromised, but the storage devices are not easily accessed by intruders.
During an intrusion, something (e.g., a file) in the computer system will be modified. In particular, an intrusion will negatively affect the computer system. Many significant intrusions will cause a change inside of the storage device. The storage device is a good place to look for intrusions because most intrusions to the servers/machines will have an impact on the storage device, but the storage device itself is not easily accessible to an intrusion.
Conventional systems have been developed for intrusion detection in file servers or for memory, but there has been no solution for block storage systems.
One conventional system for content protection in non-volatile storage devices, creates signatures of regions of a storage system and then, once in a while (e.g., at reboot time), recreates the signatures. If anything has changed in the recreated signatures, then the system concludes that an unauthorized access has occurred.
In this system, however, if it is desired to recover the content prior to the intrusion, then one needs to have saved a copy of the regions of interest. This requires the user to make copies of the entire volume of the storage device. Copying the entire volume cannot be done frequently because it takes a considerable amount of time. If, however, the copies are not made regularly the content that the user can recover once an unauthorized access is discovered is very old and out of date.
This conventional system has been proposed for protecting the content of non-volatile memory (NVRAM) which is much smaller than a typical storage system. This system is not usable, however, for protecting a larger storage system.
An additional shortcoming of this device is that if one creates signatures for a large storage system, calculating the signature will be too costly and time consuming. To address this, the conventional system proposes that the storage system is divided into regions and signatures are created for only those regions of interest. This method cannot work for storage devices where file systems are stored and a location of a file that a user is interested in changes or, for example, an increase in the size of a file is acceptable. Therefore, this conventional system is essentially usable for protecting NVRAM and complementary metal oxide semiconductor (CMOS) memories, and not secondary storage systems with disks.
Prior to the present invention, there have been no storage-based intrusion detection methods or systems not implemented in file servers that monitor modifications to files and not only to memory regions. This provides a great benefit as data blocks of a file can be scattered around and also can change location in time because of computer system operations, such as disk defragmentation. Systems where access rules are defined for memory regions will be ineffective in such environments.
Furthermore, in conventional devices, in order to recover compromised data after an intrusion or any other possible source of unwanted change, it is necessary to have made a complete volume copy of data regions that the user desires to recover. While this may be practical in a small storage system such as the computer CMOS NVRAM, it would require a significant amount of additional storage for storage systems. Additionally, since the volume copy is not generated periodically in the conventional systems, even when a volume copy exists, it can be very outdated.
Thus, prior to the present invention, there has been no intrusion detection method (and system) where periodic point-in-time copies are made so that the user will always have a recent copy to fall back to when an intrusion is detected. Further, there has been no intrusion detection method and system that performs periodic copies in a large storage system.